Learn

How to read email headers in plain language

The part of an email you read, sender name, subject, body, is the part the sender fully controls. The part the sender doesn't fully control rides above it: the headers, a routing record stamped by every mail server the message passed through. When an email's honesty is in question, the headers are where the answer lives, and reading them takes a map, not a degree.

The headers that matter

Five fields do most of the work. From is the claimed sender, freely writable, treat it as a claim. Reply-To is where your reply will actually go; when it silently differs from From, someone wants replies somewhere other than the apparent sender. Return-Path is the envelope address the sending server used, another point that should normally align. The Received chain is the heart of it: each server that handled the message added a stamped line, newest on top, so reading bottom-up walks the message's actual route from origin to your inbox, with timestamps. Authentication-Results records what your receiving server concluded about the sender's legitimacy, covered in its own article.

What a healthy route looks like

A legitimate email from a company travels a short, sensible path: the company's mail system, perhaps its sending service, then your provider, with hop-to-hop gaps of seconds. The patterns worth attention: a From domain that never appears anywhere in the actual route; an origin server in a country that makes no sense for the sender; long unexplained gaps between hops; and any mismatch among From, Reply-To, and Return-Path on a message asking for money or credentials. None of these alone convicts, mailing services legitimately send on companies' behalf all the time, but on a consequential email, misalignment is the cue to verify by another channel.

Getting to the headers

Every mail client hides them somewhere: "Show original" in Gmail, "View source" or message properties elsewhere. The reliable route for analysis is saving the email as a .eml file, which preserves the full headers exactly, and reading that, the subject of its own guide here.

FAQ

Can headers be faked?

The ones the sender writes, yes, From especially. The Received lines added by servers after the message left the sender's control, including your own provider's, are far harder to falsify, which is why the route outweighs the claim.

Why do legitimate emails sometimes come from weird-looking servers?

Mailing platforms, CRMs, and ticket systems send on behalf of companies constantly. Alignment can be loose for newsletters and tight for anything transactional; the question is always whether the route fits what the email asks of you.

Do forwarded emails keep their headers?

Forwarding wraps the message: you see the forwarder's route, not the original's. For analysis, you need the original as a file, not a forward of it.